So let’s say you are a small company, or doctor’s office that has to comply with HIPAA and now HITECH. You and your staff are working hard to follow the rules and stay within the confines of the regulations. You’re not perfect but you’re getting better as a company and everyone is now rowing in the same direction on your team and you feel pretty good about it.
Then it happens, one of your staff comes to you and says that they have just mistakenly sent a fax with PHI in it to the Chinese food restaurant instead of the company lunch order and there you have it, your first breach. Your first question is how many patients were impacted and you find out it was just one. Your staff member has already talked to the restaurant manager and he has assured them that he got the fax and promptly destroyed it.
So it’s under the 500 individual count required for notification but by definition it is still a breach and you are required by law to report it. Then again if you do that may flag your business with the regulators and now they will want to audit your whole system to see where else you may be falling short. Suddenly you’re not feeling as confident in the job you’re doing in compliance as you were? Now you’re thinking you may just risk it and not report it. After all you caught it pretty quick and the manager gave you his word that it was destroyed. So who will know? Plus by not reporting you are not drawing attention to yourself and are less likely to get audited, right?
Well think again. The Office of Civil Rights (OCR), which is the enforcement arm of the government for HIPAA and HITECH says that not reporting may draw their attention sooner. The OCR’s regional offices are not just looking at auditing covered interties that report too many breaches under the 500 individual threshold. They are also looking at those reporting less than those of their peers that meet similar criteria. This applies to Business Associates as well.
So for those companies thinking that not reporting a small incident is keeping them off the radar they may actually be making themselves a bigger target. Fear of an audit should never be a reasoning for not complying with any reporting requirements. It is always best to err on the side of reporting and just be sure that you have documented properly, have an action plan to prevent it in the future, and have properly trained your staff. That will do more to benefit your compliance effort than anything. Beyond that, having to tools to properly manage that process and to ensure that your proverbial compliance “I’s” are dotted and your “T’s” are crossed, we would recommend looking at the I-Comply and I-Secure offerings from Infinity Network Solutions. These products can walk you down the path to feeling good about your compliance effort regardless of the situation before you.
So in the end “To report or not report”? Definitely report.